You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

Go to file

LeeW 747c10e9e0 fix: iterate fix for sops.yaml not created in specified config dir		10 months ago
archive	ADP-179 sops manage keys	10 months ago
bin	fixes typo	10 months ago
groups	s/roles/groups/g , iteration	10 months ago
verify	fix: iterate fix for sops.yaml not created in specified config dir	10 months ago
README.md	renames 'example/' dir to 'verify/'	10 months ago
annika.biermann@netgo.de.gpg.pub	gpg pub key added for annika.biermann@netgo.de	1 year ago
claus.paetow@netgo.de.gpg.pub	gpg key added	4 years ago
esther.fuhrmann@netgo.de.gpg.pub	gpg key for esther.fuhrmann@netgo.de	3 years ago
ext.hans-peter.wissenbach@netgo.de.gpg.pub	+ gpg key hans-peter wissenbach	2 years ago
frederik.marticke@netgo.de.gpg.pub	gpg frederik.marticke	2 years ago
hoan.to@netgo.de.gpg.pub	hoan to added gpg key	3 years ago
jan.jantzen@netgo.de.gpg.pub	jan jantzen public key added	2 years ago
johannes.wicovsky@netgo.de.gpg.pub	add own gpg-key	3 years ago
kevin.bauske@netgo.de.gpg.pub	kevin bauske public key added	2 years ago
kleanthis.damianidis@netgo.de.gpg.pub	kleanthis damianidis public key	1 year ago
lee.watson@netgo.de.gpg.pub	adds pubkey for lee.watson	11 months ago
michael.haehnel@netgo.de.gpg.pub	Added GPG Key for Michael Haehnel	4 years ago
philipp.eichhorn@netgo.de.gpg.pub	gpg key for philipp.eichhorn@netgo.de	3 years ago
sebastian.schroeder@netgo.de.gpg.pub	added sebastian.schroeder@netgo.de.gpg.pub	1 year ago
smardigo_automation_buildinfra.gpg.pub	added new gpg key for build infra	1 year ago
smardigo_automation_demompmx.gpg.pub	DEV-1062: added PUBLIC gpg key for demompmx-stage - bugfix	3 years ago
smardigo_automation_dev.gpg.pub	DEV-323: added stage specific gpg public keys for smardigo automation	4 years ago
smardigo_automation_devnso-adp.gpg.pub	Add new gpg pubkey for devnos-adp stage	2 years ago
smardigo_automation_devnso.gpg.pub	DEV-1114 Add new gpg keys for stages devnso and qanso	3 years ago
smardigo_automation_poc_workload01.gpg.pub	added poc_workload01 gpg key	2 years ago
smardigo_automation_prodnso.gpg.pub	DEV-360: added GPG key for PRODNSO	4 years ago
smardigo_automation_qa.gpg.pub	DEV-323: added stage specific gpg public keys for smardigo automation	4 years ago
smardigo_automation_qanso.gpg.pub	DEV-1114 Add new gpg keys for stages devnso and qanso	3 years ago
smardigo_automation_rancher_poc.gpg.pub	Add key for rancher-poc	2 years ago
smardigo_automation_sot.gpg.pub	added sot gpg key	2 years ago
smardigo_automation_sot_test.gpg.pub	Add gpg pub key for customer stage sot-test	2 years ago
smardigo_automation_ssp_prod.gpg.pub	added ssp prod key	10 months ago
smardigo_automation_sspdev.gpg.pub	added gpg key for sspdev	2 years ago
thomas.steube@netgo.de.gpg.pub	gpg public key Thomas Steube	1 year ago
tobias.stroehl@netgo.de.gpg.pub	add gpg key tobias stroehl	3 years ago

README.md

GPG Key Repo

Purpose: Manage gpg keys for:

SOPS

Key Management

1. Onboarding: howto create and add a gpg key

please follow instruction on following link: https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key
add ONLY the PUBLIC part of your gpg key!!!
checkin via MergeRequest/PullRequest

import gpg keys

gpg --import /path/to/keys/*.gpg.pub

list imported gpg keys

gpg --list-keys --keyid-format=long


### groups

Access for each repo is tracked using the `./groups/` directory; each sub-directory represents a "group" (Note: some "groups" are also "roles", e.g. `admin`)

```bash
cd groups/<project_name>
ln -s ../../<path_to_key.gpg.pub>

2. Offboarding: Archive Expired Keys (EOL)

To mark a key as expired, move it to the archive/ dir as follows:

mv ${keyname} "archive/${keyname}_$(date '+%Y-%m-%d').archive"

3. Configure sops config

Context: This repo stores the keys used to encrypt secrets in other repos; these "consumer" repos each contain a sops config .sops.yaml which manages access to the encrypted files (e.g. secrets.yaml)

The following commands explain how to update the .sops.yaml for a repository:

# E.g. update sops config for DevNSO
% git clone git@git.dev-at.de:cloud-solutions/nso/devnso-adp-argocd.git
% cd devnso-adp-argocd/

# List available groups
% ${PATH_TO_THIS_REPO}/bin/update_sops.sh --list_groups
# INFO: listing groups
admin
automation
devnso-adp-argocd

# For a given group, update sops config and specified secrets file
% ${PATH_TO_THIS_REPO}/bin/update_sops.sh -r devnso-adp-argocd -s ./adp-api-devs/adp-api-devs/secrets.yaml
% git diff

Configure SOPS

SOPS is used for encrypting secrets, e.g. credentials for various systems

Install

https://github.com/getsops/sops

Note:

MacOS: If desired, one can also use brew to install sops: brew install sops; although this is not officially maintained, the formula is essentially the same as the official installation instructions

Usage

Decrypt and Display Secrets in Terminal:

GPG_TTY=$(tty) sops secrets.yaml

Note: The GPG_TTY is necessary to have the password prompt appear. src: https://www.varokas.com/secrets-in-code-with-mozilla-sops/

Note: secrets.yaml is just an example; the file can have any name

Example - Manual

The steps in the following example can be run locally in order to:

create a sample secrets file
encrypt the file
decrypt the file

If these steps work, sops configured correctly - on your machine ;-)

#!/usr/bin/env bash
set -ueo pipefail
# demo: create a file with a mock secret, src: https://bash-org-archive.com/?244321
# PREREQUISITE: valid sops config, i.e. .sops.yaml - Note: most repos already have one
# further reading: https://github.com/getsops/sops?tab=readme-ov-file#using-sops-yaml-conf-to-select-kms-pgp-and-age-for-new-files
yq -n '.demo.credentials.secret = "hunter2"' > secrets.yaml
# encrypt
sops -e -i secrets.yaml

# decript, print to console
sops -d secrets.yaml

Example - Automation

cd verify/
./cmd_sops.sh